Azure Information Protection classic client for Windows

Applies to: Active Directory Rights Management Services, Azure Information Protection, Windows 10, Windows 8.1, Windows 8, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

Relevant for: Azure Information Protection classic client for Windows. For the unified labeling client, see the unified labeling client admin guide and user guide.

Note

To provide a unified and streamlined customer experience, we are sunsetting the Azure Information Protection classic client and Label Management in the Azure Portal as of March 31, 2021. No further support is provided for the classic client and maintenance versions will no longer be released.

  • The classic client will be fully retired, and will stop functioning, on March 31, 2022.
  • As of March 18, 2022, we are also sunsetting the AIP audit log and analytics, with a full retirement date of September 31, 2022.

For more information, see Removed and retired services.

The Azure Information Protection classic client is the original downloadable client for organizations that use Azure Information Protection to classify and protect documents and emails, or use a Rights Management service to protect their data. This client also has a viewer for organizations that don't have their own information protection infrastructure but want to consume content that has been protected by other organizations that use a Rights Management service from Microsoft.

Use the following resources for the classic client:

Note

Azure Information Protection is not currently supported on Microsoft Azure operated by 21Vianet portal. You can achieve the same functionality using the Azure Information Protection PowerShell commands.

Supported features

The this section lists the features supported by the classic client, in parallel with the comparison section for the unified labeling client and built-in labeling solution in Learn about about built-in labeling and the AIP unified labeling client.

This section also provides a more detailed comparison of supported features between the classic and unified labeling clients.

Classic client features for Office applications

Feature area Supported by the classic client
User experience - Multi-language support
- Information Protection bar in Office apps
Enforcement - Manual labeling
- Mandatory labeling
- PowerShell labeling cmdlets
- Customizations, such as default labels for emails, pop-up messages in Outlook, S/MIME support, and a Report an Issue option

Note: Customization settings are supported as advanced client settings that you configure in the Azure portal
Automation - Default labeling
- Label inheritance from email attachments
Encryption and protection - Recommended or automatic labeling
- User-defined permissions for a label: Do Not Forward for emails and custom permissions for Word, Excel, PowerPoint
- Display the Do Not Forward button in Outlook
- Custom permissions set independently from a label
- Protection-only mode (no labels)
- Support for AD RMS
- Track and revoke protected documents: Admin docs / User docs

Note: Administrators can also use central reporting to identify whether protected documents are accessed from Windows computers, and whether access was granted or denied.
Logging and analytics - Central reporting
- Usage logging in Event Viewer
Visual markings - Visual markings as a label action (header, footer, watermark)
- Per-app visual markings
- Dynamic visual markings with variables
- Remove external content marking in apps
Identity - HYOK support
Workload environment - Support for Microsoft Office 97-2003 formats
- Offline support for protection actions
- Manual policy file management for disconnected computers
- Support for Remote Desktop services

Classic client features for outside Office applications

The following features are supported by the classic client outside of Office applications:

  • Scanner for on-premises data stores
  • Label with File Explorer
  • A viewer for protected files (text, image, PDF, .pfile)
  • PPDF support for applying labels

Detailed comparisons for the AIP clients

When the Azure Information Protection classic client and the Azure Information Protection unified labeling client both support the same feature, use the following lists to help identify some functional differences between the two clients:

AIP client feature comparisons in Office applications

User experience features

Functionality Classic client Unified labeling client
Remove applied label actions User is prompted to confirm

The default label or an automatic label (if configured) is not automatically applied next time the Office app opens the file
User is not prompted to confirm

The default label or an automatic label (if configured) is automatically applied next time the Office app opens the file
Label selection and display when applied in Office apps From the Protect button on the ribbon

From the Information Protection bar (horizontal bar under the ribbon)
From the Sensitivity button on the ribbon

From the Information Protection bar (horizontal bar under the ribbon)
Manage the Information Protection bar in Office apps For users:
Option to show or hide the bar from the Protect button on the ribbon

When a user selects to hide the bar, by default, the bar is hidden in that app, but continues to automatically display in newly opened apps

For admins:
Policy settings to automatically show or hide the bar when an app first opens, and control whether the bar automatically remains hidden for newly opened apps after a user selects to hide the bar
For users:
Option to show or hide the bar from the Sensitivity button on the ribbon.

When a user selects to hide the bar, the bar is hidden in that app and also in newly opened apps

For admins:
PowerShell setting to manage the bar
Label color Configure in the Azure portal Retained after label migration and configurable with PowerShell
Labels support different languages Configure in the Azure portal Configure by using Office 365 Security & Compliance PowerShell
Justification prompts (if configured) per action in Office - Frequency: Per file
- Lowering the sensitivity level
- Removing a label
- Removing protection
- Frequency: Per session
- Lowering the sensitivity level
- Removing a label

Enforcement features

Functionality Classic client Unified labeling client
Setup Option to install local demo policy No local demo policy
Policy update - When an Office app opens
- When you right-click to classify and protect a file or folder
- When you run the PowerShell cmdlets for labeling and protection
- Every 24 hours
- For the scanner: Every hour and when the service starts and the policy is older than one hour
- When an Office app opens
- When you right-click to classify and protect a file or folder
- When you run the PowerShell cmdlets for labeling and protection
- Every 4 hours
- For the scanner: Every 4 hours
Order support for sublabels on attachments Enabled with an advanced client setting Enabled by default, no configuration required

Automation features

Functionality Classic client Unified labeling client
Automatic and recommended labels Configured as label conditions in the Azure portal with built-in information types and custom conditions that use phrases or regular expressions

Configuration options include:
- Unique / Not unique count
- Minimum count
Configured in the Microsoft 365 compliance center with built-in sensitive information types and custom information types

Configuration options include:
- Unique count only
- Minimum and maximum count
- AND and OR support with information types
- Keyword dictionary
- Customizable confidence level and character proximity
Change the default protection behavior for file types Use registry edits to override the defaults of native and generic protection Use PowerShell to change which file types get protected

AIP client feature comparisons outside of Office applications

Functionality Classic client Unified labeling client
Supported formats for PDF Protection:
- ISO standard for PDF encryption (default)
- .ppdf

Consumption:
- ISO standard for PDF encryption
- .ppdf
- SharePoint IRM protection
Protection:
- ISO standard for PDF encryption

Consumption:
- ISO standard for PDF encryption
- .ppdf
- SharePoint IRM protection
Generically protected files (.pfile) opened with the viewer File opens in the original app where it can then be viewed, modified, and saved without protection File opens in the original app where it can then be viewed and modified, but not saved
Supported cmdlets - Cmdlets for labeling
- Cmdlets for protection-only
Cmdlets for labeling:
Set-AIPFileClassification and Set-AIPFileLabel don't support the Owner parameter
In addition, there is a single comment of "No label to apply" for all scenarios where a label isn't applied

Set-AIPFileClassification supports the WhatIf parameter, so it can be run in discovery mode

Set-AIPFileLabel doesn't support the EnableTracking parameter

Get-AIPFileStatus doesn't return label information from other tenants and doesn't display the RMSIssuedTime parameter
In addition, the LabelingMethod parameter for Get-AIPFileStatus displays Privileged or Standard, instead of Manual or Automatic.
Automatic rescans Full rescans are automatically run every time the scanner detects a change in policy or labeling settings Starting in version 2.8.85.0, administrators can choose to skip a full rescan after making changes to policy or content scan job settings.
Network discovery (Public preview) Network discovery features are unavailable for the classic scanner Administrators can discover additional risky repositories by scanning a specified IP address or range.

Features provided for the classic client that are not planned for the unified labeling client

The following features and behavior differences from the classic client are not currently planned to be available in future releases for the unified labeling client:

Install instructions